2012-01-04 18:33:27 +01:00
|
|
|
######################################
|
|
|
|
# Attribute declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
# All types used for devices.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# in tools/checkfc.c
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute dev_type;
|
|
|
|
|
|
|
|
# All types used for processes.
|
|
|
|
attribute domain;
|
|
|
|
|
|
|
|
# All types used for filesystems.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute fs_type;
|
|
|
|
|
2014-05-30 14:49:51 +02:00
|
|
|
# All types used for context= mounts.
|
|
|
|
attribute contextmount_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types used for files that can exist on a labeled fs.
|
|
|
|
# Do not use for pseudo file types.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute file_type;
|
|
|
|
|
|
|
|
# All types used for domain entry points.
|
|
|
|
attribute exec_type;
|
|
|
|
|
|
|
|
# All types used for /data files.
|
|
|
|
attribute data_file_type;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute data_file_type false;
|
2017-03-28 07:44:40 +02:00
|
|
|
# All types in /data, not in /data/vendor
|
|
|
|
attribute core_data_file_type;
|
2018-01-24 16:01:13 +01:00
|
|
|
expandattribute core_data_file_type false;
|
2017-04-02 02:17:12 +02:00
|
|
|
# All types in /vendor
|
|
|
|
attribute vendor_file_type;
|
|
|
|
|
2018-02-16 03:07:18 +01:00
|
|
|
# All types used for procfs files.
|
|
|
|
attribute proc_type;
|
2018-05-01 18:40:33 +02:00
|
|
|
expandattribute proc_type false;
|
2018-02-16 03:07:18 +01:00
|
|
|
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
# Types in /proc/net, excluding qtaguid types.
|
|
|
|
# TODO(b/9496886) Lock down access to /proc/net.
|
|
|
|
# This attribute is used to audit access to proc_net. it is temporary and will
|
|
|
|
# be removed.
|
|
|
|
attribute proc_net_type;
|
|
|
|
expandattribute proc_net_type true;
|
|
|
|
|
2018-02-16 03:07:18 +01:00
|
|
|
# All types used for sysfs files.
|
2012-01-04 18:33:27 +01:00
|
|
|
attribute sysfs_type;
|
|
|
|
|
2015-12-08 02:02:31 +01:00
|
|
|
# All types use for debugfs files.
|
|
|
|
attribute debugfs_type;
|
|
|
|
|
2013-03-07 01:26:36 +01:00
|
|
|
# Attribute used for all sdcards
|
|
|
|
attribute sdcard_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All types used for nodes/hosts.
|
|
|
|
attribute node_type;
|
|
|
|
|
|
|
|
# All types used for network interfaces.
|
|
|
|
attribute netif_type;
|
|
|
|
|
|
|
|
# All types used for network ports.
|
|
|
|
attribute port_type;
|
|
|
|
|
2012-04-04 16:11:16 +02:00
|
|
|
# All types used for property service
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_PC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2012-04-04 16:11:16 +02:00
|
|
|
attribute property_type;
|
|
|
|
|
2015-12-08 23:45:50 +01:00
|
|
|
# All properties defined in core SELinux policy. Should not be
|
|
|
|
# used by device specific properties
|
|
|
|
attribute core_property_type;
|
|
|
|
|
2016-04-15 20:10:06 +02:00
|
|
|
# All properties used to configure log filtering.
|
|
|
|
attribute log_property_type;
|
2018-05-30 10:38:09 +02:00
|
|
|
|
|
|
|
# All properties that are not specific to device but are added from
|
|
|
|
# outside of AOSP. (e.g. OEM-specific properties)
|
|
|
|
# These properties are not accessible from device-specific domains
|
|
|
|
attribute extended_core_property_type;
|
2016-04-15 20:10:06 +02:00
|
|
|
|
2015-04-09 00:12:24 +02:00
|
|
|
# All service_manager types created by system_server
|
2015-04-03 01:50:08 +02:00
|
|
|
attribute system_server_service;
|
|
|
|
|
|
|
|
# services which should be available to all but isolated apps
|
|
|
|
attribute app_api_service;
|
|
|
|
|
Start locking down access to services from ephemeral apps
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.
Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-02-28 22:59:06 +01:00
|
|
|
# services which should be available to all ephemeral apps
|
|
|
|
attribute ephemeral_app_api_service;
|
|
|
|
|
2015-04-03 01:50:08 +02:00
|
|
|
# services which export only system_api
|
|
|
|
attribute system_api_service;
|
2014-12-17 00:45:26 +01:00
|
|
|
|
2017-04-06 18:24:41 +02:00
|
|
|
# All types used for services managed by servicemanager.
|
2015-09-25 03:10:54 +02:00
|
|
|
# On change, update CHECK_SC_ASSERT_ATTRS
|
|
|
|
# definition in tools/checkfc.c.
|
2014-06-06 00:52:02 +02:00
|
|
|
attribute service_manager_type;
|
|
|
|
|
2017-04-06 18:24:41 +02:00
|
|
|
# All types used for services managed by hwservicemanager
|
|
|
|
attribute hwservice_manager_type;
|
|
|
|
|
2017-04-22 02:06:43 +02:00
|
|
|
# All HwBinder services guaranteed to be passthrough. These services always run
|
|
|
|
# in the process of their clients, and thus operate with the same access as
|
|
|
|
# their clients.
|
|
|
|
attribute same_process_hwservice;
|
|
|
|
|
|
|
|
# All HwBinder services guaranteed to be offered only by core domain components
|
|
|
|
attribute coredomain_hwservice;
|
|
|
|
|
2017-04-06 18:24:41 +02:00
|
|
|
# All types used for services managed by vndservicemanager
|
|
|
|
attribute vndservice_manager_type;
|
|
|
|
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All domains that can override MLS restrictions.
|
|
|
|
# i.e. processes that can read up and write down.
|
|
|
|
attribute mlstrustedsubject;
|
|
|
|
|
|
|
|
# All types that can override MLS restrictions.
|
|
|
|
# i.e. files that can be read by lower and written by higher
|
|
|
|
attribute mlstrustedobject;
|
|
|
|
|
|
|
|
# All domains used for apps.
|
|
|
|
attribute appdomain;
|
|
|
|
|
2017-02-13 22:33:27 +01:00
|
|
|
# All third party apps.
|
|
|
|
attribute untrusted_app_all;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# All domains used for apps with network access.
|
|
|
|
attribute netdomain;
|
|
|
|
|
|
|
|
# All domains used for apps with bluetooth access.
|
|
|
|
attribute bluetoothdomain;
|
|
|
|
|
|
|
|
# All domains used for binder service domains.
|
|
|
|
attribute binderservicedomain;
|
2016-04-22 22:23:36 +02:00
|
|
|
|
2016-08-04 05:31:37 +02:00
|
|
|
# update_engine related domains that need to apply an update and run
|
|
|
|
# postinstall. This includes the background daemon and the sideload tool from
|
|
|
|
# recovery for A/B devices.
|
|
|
|
attribute update_engine_common;
|
2016-11-15 19:05:55 +01:00
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
# All core domains (as opposed to vendor/device-specific domains)
|
|
|
|
attribute coredomain;
|
|
|
|
|
2017-03-31 02:39:00 +02:00
|
|
|
# All socket devices owned by core domain components
|
|
|
|
attribute coredomain_socket;
|
2018-01-24 16:01:13 +01:00
|
|
|
expandattribute coredomain_socket false;
|
2017-03-31 02:39:00 +02:00
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
# All vendor domains which violate the requirement of not using Binder
|
|
|
|
# TODO(b/35870313): Remove this once there are no violations
|
|
|
|
attribute binder_in_vendor_violators;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute binder_in_vendor_violators false;
|
2017-03-23 22:27:32 +01:00
|
|
|
|
2017-03-25 00:07:35 +01:00
|
|
|
# All vendor domains which violate the requirement of not using sockets for
|
|
|
|
# communicating with core components
|
|
|
|
# TODO(b/36577153): Remove this once there are no violations
|
|
|
|
attribute socket_between_core_and_vendor_violators;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute socket_between_core_and_vendor_violators false;
|
2017-03-25 00:07:35 +01:00
|
|
|
|
2017-04-15 06:26:57 +02:00
|
|
|
# All vendor domains which violate the requirement of not executing
|
|
|
|
# system processes
|
|
|
|
# TODO(b/36463595)
|
|
|
|
attribute vendor_executes_system_violators;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute vendor_executes_system_violators false;
|
2017-04-15 06:26:57 +02:00
|
|
|
|
2017-10-17 22:07:54 +02:00
|
|
|
# All domains which violate the requirement of not sharing files by path
|
|
|
|
# between between vendor and core domains.
|
|
|
|
# TODO(b/34980020)
|
|
|
|
attribute data_between_core_and_vendor_violators;
|
|
|
|
expandattribute data_between_core_and_vendor_violators false;
|
|
|
|
|
2017-12-21 00:38:35 +01:00
|
|
|
# All system domains which violate the requirement of not executing vendor
|
|
|
|
# binaries/libraries.
|
|
|
|
# TODO(b/62041836)
|
|
|
|
attribute system_executes_vendor_violators;
|
|
|
|
expandattribute system_executes_vendor_violators false;
|
|
|
|
|
2018-05-02 00:15:16 +02:00
|
|
|
# All system domains which violate the requirement of not writing vendor
|
|
|
|
# properties.
|
|
|
|
# TODO(b/78598545): Remove this once there are no violations
|
|
|
|
attribute system_writes_vendor_properties_violators;
|
|
|
|
expandattribute system_writes_vendor_properties_violators false;
|
|
|
|
|
2017-06-21 19:00:32 +02:00
|
|
|
# hwservices that are accessible from untrusted applications
|
|
|
|
# WARNING: Use of this attribute should be avoided unless
|
|
|
|
# absolutely necessary. It is a temporary allowance to aid the
|
|
|
|
# transition to treble and will be removed in a future platform
|
|
|
|
# version, requiring all hwservices that are labeled with this
|
|
|
|
# attribute to be submitted to AOSP in order to maintain their
|
|
|
|
# app-visibility.
|
|
|
|
attribute untrusted_app_visible_hwservice;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute untrusted_app_visible_hwservice false;
|
|
|
|
|
|
|
|
# halserver domains that are accessible to untrusted applications. These
|
|
|
|
# domains are typically those hosting hwservices attributed by the
|
|
|
|
# untrusted_app_visible_hwservice.
|
|
|
|
# WARNING: Use of this attribute should be avoided unless absolutely necessary.
|
|
|
|
# It is a temporary allowance to aid the transition to treble and will be
|
|
|
|
# removed in the future platform version, requiring all halserver domains that
|
|
|
|
# are labeled with this attribute to be submitted to AOSP in order to maintain
|
|
|
|
# their app-visibility.
|
|
|
|
attribute untrusted_app_visible_halserver;
|
|
|
|
expandattribute untrusted_app_visible_halserver false;
|
2017-06-21 19:00:32 +02:00
|
|
|
|
2017-05-01 22:01:44 +02:00
|
|
|
# PDX services
|
|
|
|
attribute pdx_endpoint_dir_type;
|
|
|
|
attribute pdx_endpoint_socket_type;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute pdx_endpoint_socket_type false;
|
2017-05-01 22:01:44 +02:00
|
|
|
attribute pdx_channel_socket_type;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute pdx_channel_socket_type false;
|
2017-05-01 22:01:44 +02:00
|
|
|
|
|
|
|
pdx_service_attributes(display_client)
|
|
|
|
pdx_service_attributes(display_manager)
|
|
|
|
pdx_service_attributes(display_screenshot)
|
|
|
|
pdx_service_attributes(display_vsync)
|
|
|
|
pdx_service_attributes(performance_client)
|
|
|
|
pdx_service_attributes(bufferhub_client)
|
|
|
|
|
2017-02-13 23:40:49 +01:00
|
|
|
# All HAL servers
|
|
|
|
attribute halserverdomain;
|
|
|
|
# All HAL clients
|
|
|
|
attribute halclientdomain;
|
2017-09-26 21:58:29 +02:00
|
|
|
expandattribute halclientdomain true;
|
2017-01-11 00:54:25 +01:00
|
|
|
|
2018-05-15 23:16:57 +02:00
|
|
|
# Exempt for halserverdomain to access sockets. Only builds for automotive
|
|
|
|
# device types are allowed to use this attribute (enforced by CTS).
|
|
|
|
# Unlike phone, in a car many modules are external from Android perspective and
|
|
|
|
# HALs should be able to communicate with those devices through sockets.
|
|
|
|
attribute hal_automotive_socket_exemption;
|
|
|
|
|
2016-11-15 19:05:55 +01:00
|
|
|
# HALs
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(allocator);
|
2018-03-10 23:13:01 +01:00
|
|
|
hal_attribute(audio);
|
2018-04-10 23:07:14 +02:00
|
|
|
hal_attribute(audiocontrol);
|
2018-01-10 17:11:46 +01:00
|
|
|
hal_attribute(authsecret);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(bluetooth);
|
2018-03-10 23:13:01 +01:00
|
|
|
hal_attribute(bootctl);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(broadcastradio);
|
2018-03-10 23:13:01 +01:00
|
|
|
hal_attribute(camera);
|
|
|
|
hal_attribute(cas);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(configstore);
|
2018-01-09 23:42:53 +01:00
|
|
|
hal_attribute(confirmationui);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(contexthub);
|
2018-03-10 23:13:01 +01:00
|
|
|
hal_attribute(drm);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(dumpstate);
|
2018-04-10 23:07:14 +02:00
|
|
|
hal_attribute(evs);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(fingerprint);
|
|
|
|
hal_attribute(gatekeeper);
|
|
|
|
hal_attribute(gnss);
|
|
|
|
hal_attribute(graphics_allocator);
|
|
|
|
hal_attribute(graphics_composer);
|
|
|
|
hal_attribute(health);
|
|
|
|
hal_attribute(ir);
|
|
|
|
hal_attribute(keymaster);
|
|
|
|
hal_attribute(light);
|
|
|
|
hal_attribute(lowpan);
|
|
|
|
hal_attribute(memtrack);
|
|
|
|
hal_attribute(neuralnetworks);
|
|
|
|
hal_attribute(nfc);
|
|
|
|
hal_attribute(oemlock);
|
2018-05-26 01:23:37 +02:00
|
|
|
hal_attribute(omx);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(power);
|
2018-01-04 19:33:20 +01:00
|
|
|
hal_attribute(secure_element);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(sensors);
|
|
|
|
hal_attribute(telephony);
|
|
|
|
hal_attribute(tetheroffload);
|
|
|
|
hal_attribute(thermal);
|
|
|
|
hal_attribute(tv_cec);
|
|
|
|
hal_attribute(tv_input);
|
|
|
|
hal_attribute(usb);
|
2018-01-08 18:29:40 +01:00
|
|
|
hal_attribute(usb_gadget);
|
2018-04-10 23:07:14 +02:00
|
|
|
hal_attribute(vehicle);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(vibrator);
|
|
|
|
hal_attribute(vr);
|
|
|
|
hal_attribute(weaver);
|
|
|
|
hal_attribute(wifi);
|
2017-12-23 00:03:15 +01:00
|
|
|
hal_attribute(wifi_hostapd);
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_attribute(wifi_offload);
|
|
|
|
hal_attribute(wifi_supplicant);
|
Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.
The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).
Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
keystore and hal_wifi_supplicant_default domains
Bug: 36896667
Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
|
|
|
|
|
|
|
# HwBinder services offered across the core-vendor boundary
|
|
|
|
#
|
|
|
|
# We annotate server domains with x_server to loosen the coupling between
|
|
|
|
# system and vendor images. For example, it should be possible to move a service
|
|
|
|
# from one core domain to another, without having to update the vendor image
|
|
|
|
# which contains clients of this service.
|
|
|
|
|
2017-05-17 02:43:52 +02:00
|
|
|
attribute display_service_server;
|
Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.
The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).
Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
keystore and hal_wifi_supplicant_default domains
Bug: 36896667
Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
|
|
|
attribute wifi_keystore_service_server;
|